Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(chart): Improved default security context #7279

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

stevehipwell
Copy link
Contributor

Fixes #N/A

Description
This PR improves the default security context posture and adds support for setting container values which should be user defined.

How was this change tested?
The Helm chart was templated with the new values.

Does this change impact docs?

  • Yes, PR includes docs updates
  • Yes, issue opened: #
  • No

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@stevehipwell stevehipwell requested a review from a team as a code owner October 25, 2024 15:53
@stevehipwell stevehipwell requested a review from tzneal October 25, 2024 15:53
Copy link

netlify bot commented Oct 25, 2024

Deploy Preview for karpenter-docs-prod canceled.

Name Link
🔨 Latest commit 35471b8
🔍 Latest deploy log https://app.netlify.com/sites/karpenter-docs-prod/deploys/678e2f93d6131a000890cc65

@stevehipwell
Copy link
Contributor Author

CC @jonathan-innis

@stevehipwell stevehipwell force-pushed the chart-security-context branch from e211a98 to 0e90ebf Compare November 4, 2024 15:42
@stevehipwell stevehipwell force-pushed the chart-security-context branch from 0e90ebf to dacfc30 Compare November 18, 2024 09:47
@stevehipwell
Copy link
Contributor Author

@tzneal could you take a look at this please?

Copy link
Contributor

github-actions bot commented Dec 2, 2024

This PR has been inactive for 14 days. StaleBot will close this stale PR after 14 more days of inactivity.

@stevehipwell
Copy link
Contributor Author

@jonathan-innis @tzneal could someone please take a look at this?

@stevehipwell
Copy link
Contributor Author

@jonathan-innis @tzneal could someone please take a look at this?

@saurav-agarwalla
Copy link
Contributor

I'll take a look at this.

Copy link
Contributor

This PR has been inactive for 14 days. StaleBot will close this stale PR after 14 more days of inactivity.

@stevehipwell
Copy link
Contributor Author

/not-stale

@stevehipwell
Copy link
Contributor Author

@saurav-agarwalla did you manage to take a look at this?

@saurav-agarwalla
Copy link
Contributor

@stevehipwell apologies for the delay, I started reviewing this but then got side-tracked with the holidays and other things. Planning to get back to it this week.

@@ -72,7 +75,7 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.1.1 \
| podDisruptionBudget.maxUnavailable | int | `1` | |
| podDisruptionBudget.name | string | `"karpenter"` | |
| podLabels | object | `{}` | Additional labels for the pod. |
| podSecurityContext | object | `{"fsGroup":65532}` | SecurityContext for the pod. |
| podSecurityContext | object | `{"fsGroup":65532,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | SecurityContext for the pod. |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need to change the defaults?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some systems need this making explicit for policy purposes.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as the other one below. As per the documentation, we're changing the desired behavior by setting these values so I am not sure if we should be setting this for everyone:

Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#securitycontext-v1-core

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Karpenter runs as non-root so this can be set with no implications. It is 100% a best practice to set this.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stevehipwell My question was more around if/why this needs to be a breaking change (although I don't disagree that this is a best practice).

@@ -90,7 +93,6 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.1.1 \
| settings.clusterCABundle | string | `""` | Cluster CA bundle for TLS configuration of provisioned nodes. If not set, this is taken from the controller's TLS configuration for the API server. |
| settings.clusterEndpoint | string | `""` | Cluster endpoint. If not set, will be discovered during startup (EKS only) |
| settings.clusterName | string | `""` | Cluster name. |
| settings.eksControlPlane | bool | `false` | Marking this true means that your cluster is running with an EKS control plane and Karpenter should attempt to discover cluster details from the DescribeCluster API |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason this is being removed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure, I guess it might be a merge artifact.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add it back? I am seeing this in the latest main so I don't think we want to remove it: https://github.com/aws/karpenter-provider-aws/blob/main/charts/karpenter/README.md?plain=1#L93.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll add this back.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So it turns out I didn't remove anything; whoever added this didn't configure the helm-docs comment correctly and then manually updated the README to work around it. When I ran helm-docs for this PR it was removed.

@@ -62,16 +62,29 @@ spec:
containers:
- name: {{ .Values.controller.containerName | default "controller" }}
securityContext:
privileged: false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this something you wanted to add? If so, should we parameterize it for backwards compatibility like the others?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no need to make this optional as Karpenter doesn't need it. Some systems want it explicitly set for policy purposes.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the docs:

privileged boolean
Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.

So I don't think we can set it without parameterizing it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default is un privileged, we're just making it explicit as some org policies require it to be so. Karpenter will never need this so there is no valid reason to set it otherwise. Helm charts should only offer customisation where required, first party Helm charts even more so.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default is un privileged, we're just making it explicit as some org policies require it to be so.

But setting it will break windows like I linked above. So why not offer it as a parameter for anyone who wants to set it?

@coveralls
Copy link

Pull Request Test Coverage Report for Build 12771160071

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.02%) to 64.959%

Totals Coverage Status
Change from base Build 12754714725: 0.02%
Covered Lines: 5782
Relevant Lines: 8901

💛 - Coveralls

@stevehipwell stevehipwell force-pushed the chart-security-context branch 3 times, most recently from 775c5d2 to a81a0d6 Compare January 20, 2025 11:07
@stevehipwell stevehipwell force-pushed the chart-security-context branch from a81a0d6 to 35471b8 Compare January 20, 2025 11:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants